Yeah, I'm getting these too. On my older server, I set up something to
tail -f the log into a bit of perl to look for them, and firewall off on
3 invalid attempts (or 2 as root). On my home machine I was using
syslog-ng, so I set up a new destination like this:
destination sshscanner { program("/etc/syslog-ng/findbrutes.pl"); };
log { source(src); filter(f_authpriv); destination(sshscanner); };
which should feed the results more reliably to my process. For reference
the perl script is:
#!/usr/bin/perl
$Machine = "mymachinename"; # change this to your machine name
$DontBlock = "\(1\.2\.3\.4\)"; # RegExp to match any IPs you never want
to block, just in case
$LogDate = "^[JFMASOND][aepuco][nbrylgptvc] [ 123][0-9][0-2][0-9]:[0-5][0-9]:[0
-5][0-9]";
$LinePrefix = "$LogDate $Machine sshd\[[0-9]+\]: Failed password for";
$LineSuffix = "from \([0-9.]+\) port [0-9]+ ssh2\$";
while (<>) {
$ip = "";
$score = 0;
if ($_ =~ "$LinePrefix invalid user [A-Za-z]+ $LineSuffix") {
$ip = $1;
$score = 1;
} elsif ($_ =~ "$LinePrefix root $LineSuffix") {
$ip = $1;
$score = 3;
}
if ($score == 0 || $ip =~ "$DontBlock") {
# Eeep, don't block me, I'm nice!
} else {
if (defined $nasty{$ip}) {
$nasty{$ip} += $score;
if ($nasty{$ip} >= 2) { # You can tweak the trigger score here
#$blocked = `cat iptest | grep $ip`;
$blocked = `/usr/sbin/iptables -n -L BLAT | grep $ip`;
if ($blocked eq "") {
system("/bin/logger -p authpriv.notice Blatting ssh scanner
$ip");
system("/usr/sbin/iptables -A BLAT -s $ip -j DROP");
#system("echo $ip >> iptest");
print $ip, "\n";
}
}
} else {
$nasty{$ip} = $score;
}
}
}
You'll also need to add a new chain to your iptables, called BLAT and
pass everything through it before letting it continue.
iptables -N BLAT
iptables -A INPUT -j BLAT
Hope that helps,
Ainsley
--
http://linuxfromscratch.org/mailman/listinfo/lfs-security
FAQ: http://www.linuxfromscratch.org/faq/
Unsubscribe: See the above information page
